Cheese Worm Plugs Hole Left by Lion Worm

Welcome to Security Alerts, an overview of recent Unix and open-source security advisories. In this column, we look at buffer overflows in man, DQS, Netscape Enterprise Web Publisher, and IRIX Embedded Support Partner; a temporary-file race condition in the ARCservIT Unix Client; problems in Zope, Cisco Content Service Switch, CUPS, i386 syscalls in Solaris x86, and the Logitech Wireless Desktop; and talk about Cheese the "friendly" worm.

There is a buffer overflow in some versions of the the online manual pages reader man that can be exploited to gain the privileges of the man group. It has been reported that the man program shipped with Red Hat Linux 7.0 and Debian GNU/Linux are vulnerable; but that versions shipped with Caldera OpenLinux, SuSE, and Slackware are not.

Users of affected systems should watch vendors for updates and remove the set group ID bit from man until it has been patched.

DQS, the Distributed Queueing System, is a system designed to spread computing jobs across various machines on a network. There is a buffer overflow in the dsh command that is part of the package that can be exploited to execute arbitrary code as root.

Users should remove the set user ID bit from the dsh command and watch vendors for updates. Systems with the software installed that are not using it should consider uninstalling it.

Netscape Enterprise Web Publisher versions 4.1 and earlier have a remotely exploitable buffer overflow that may be used by an attacker to execute arbitrary code with the permissions of the user running the Web Publisher.

Cisco Content Service Switch (CSS) 11000 series switches will allow any user who connects via FTP with a valid account full access to all files on the system. These switches (previously known as Arrowpoint) include the CSS 11050, CSS 11150, and CSS 11800 and run the Cisco WebNS software. All versions of WebNS prior to 4.01B23s or 4.10B13s are affected by this vulnerability.

Cisco recommends that users upgrade to a patched version of WebNS and restrict FTP access to the switch.

The ARCservIT Unix Client has two temporary-file race conditions. One of the race conditions requires that the asagent client has never been executed. Both attacks can be used to overwrite any file on the system.

The IRIX Embedded Support Partner package has a buffer overflow that can be exploited by a remote attacker to execute arbitrary commands on the server. The Embedded Support Partner is an administrative tool used to manage large-scale environments and is installed by default under IRIX 6.5.5 and 6.5.8.

SGI recommends that users immediately disable the Embedded Support Partner daemon rpc.espd until they have installed security patch 4123 and that they leave rpc.espd disabled if the Embedded Support Partner system is not being used.

There is a problem in i386 syscalls under Solaris x86 that may be used by an attacker to read or write to arbitrary addresses in kernel memory. Sun reports that this problem affects Solaris x86 versions 2.6, 7, and 8 and Trusted Solaris for Intel versions 7 and 8.

Sun has released patches for Solaris x86 versions 7 and 8, is scheduled to release a patch for Solaris x86 2.6 on June 18, 2001, and will release patches for Trusted Solaris for Intel versions 7 and 8 as soon as they are available.

A "man-in-the-middle" attack against Logitech wireless desktop has been announced that may allow an attacker to sniff keystrokes from the wireless keyboard. The Logitech wireless desktop consists of a wireless keyboard, mouse, and a receiver and uses 25 MHz radio to communicate. An attacker that has sniffed the connection sequence of the victims' devices has a 30-minute window to lock in the frequencies and codes of the victim. It is also possible to add an external antenna to a receiver and extend its range to about 30 meters.

Users should consider the sensitivity of the location and information being input using these devices and decide if they should be used.

The Cheese worm targets machines that appear to have been victims of the Lion (or 1i0n) worm (that have a root shell listening on port 10008). When it infects a machine, it removes the root shells on port 10008 that Lion places in inetd.conf and then begins to scan the network for root shells on port 10008 to find other infected machines. The Cheese worm creates a directory /tmp/.cheese with the following files in it: ADL, cheese, cheese.uue, and psm.

Systems need to be patched by their administrators -- not by software that may or may not be friendly. Systems that are affected by this worm were not only left unpatched after the BIND advisory, but were also left unpatched after the Lion worm advisory. These systems may have much greater problems than the Lion worm -- many more problems than another worm, no matter how friendly, can hope to fix.